The CMMC countdown is ticking. Doing nothing is not an option. If you do not get CMMC Certification, you will not be able to win DoD contracts.

CMMC History

CMMC is mainly comprised of the 110 controls that lie at the core of NIST 800-171. CMMC Certification will require a third-party assessment conducted by an independent C3PAO (CMMC Third-Party Assessor Organization). Defense contractors handling controlled unclassified information (CUI) have been required to meet NIST 800-171 since 2017.

The only piece still up in the air is, when will strict enforcement begin?

When will CMMC be in Contracts?

CMMC is expected to be codified by the end of 2024 and in some contracts in Q1 2025. However, this does not mean that companies should wait to begin a CMMC implementation plan. NIST 800-171, which CMMC is based on, is already required today. Furthermore, Primes are already beginning to require their subcontractors to meet CMMC compliance requirements…ahead of the rule.

Preparing for CMMC Level 2

Given that CMMC will be in some contracts in Q1 2025, you need to get started on your compliance preparations as it takes 12-18 months for the average defense contractor to get assessment ready. Doing nothing is not an option. If you do not get CMMC Certification, you will not be able to win DoD contracts.

Protecting CUI is at the core of NIST and thus CMMC compliance. Moreover, it is not enough to simply protect your CUI, you also must provide adequate documentation to be able to prove that you are compliant. CMMC assessments will be conducted by C3PAOs at levels 2 and 3. C3PAO Assessors will require your System Security Plan (SSP) to document how you are meeting each assessment objective, as well as providing sufficient evidence to demonstrate that you are actively doing what is in your SSP.

Conclusion

The goal for defense contractors is to not only remain eligible to win defense contracts, but also to minimize business risk and keep CUI out of the hands of our country’s adversaries. By getting started on your organization’s compliance journey you can achieve these objectives and ensure your company is ready for ramped-up federal enforcement of cybersecurity regulations.

Are you ready? If not, contact us today. The clock is ticking.

Let us keep the spotlight on for you.

Meet with your Virtual CISO Today!